• Joerg Bruehe's avatar
    This is a backport from 5.1.32 into 5.1.31sp1. · 1b5814d3
    Joerg Bruehe authored
    The original fix was done by Gleb Shchepa on 2009-01-21
    All comments are copied from the original fix:
    
    
    Bug#42188: crash and/or memory corruption with user variables 
               in trigger
    
    Interchangeable calls to the mysql_change_user client function 
    and invocations of a trigger changing some user variable caused 
    a memory corruption and a crash.
    
    The mysql_change_user API call forces TDH::cleanup() on a server 
    that frees user variable entries.
    However it didn't reset Item_func_set_user_var::entry to NULL 
    because Item_func_set_user_var::cleanup() was not overloaded.
    So, Item_func_set_user_var::entry held a pointer to freed memory,
    that caused a crash.
    
    The Item_func_set_user_var::cleanup method has been overloaded
    to cleanup the Item_func_set_user_var::entry field.
    
    mysql-test/r/user_var.result:
      Added test case for bug #42188.
    mysql-test/t/user_var.test:
      Added test case for bug #42188
      and
      After-push test file update (see bug 42321)
    sql/item_func.cc:
      Bug#42188: crash and/or memory corruption with user variables
                 in trigger
      
      The Item_func_set_user_var::cleanup method has been overloaded
      to cleanup the Item_func_set_user_var::entry field.
    sql/item_func.h:
      Bug#42188: crash and/or memory corruption with user variables
                 in trigger
      
      The Item_func_set_user_var::cleanup method has been overloaded
      to cleanup the Item_func_set_user_var::entry field.
    1b5814d3
item_func.cc 151 KB